Hey, you just necroed, and this is crazy, but you brought me here, so I'm quoting the:

project2051 wrote:In MI. probably one of the most occurring illegal purchases for non illegal usage, is probably straw purchases by future police officers.

For in Mi. you can own a handgun at age 18, but FFls can't sell handguns (of handgun ammo) to anyone under 21 but in the state consumer to consumer sales/purchases can be made (A purchase permit/registration is still needed). So when someone under 21 goes into some kind of police school and are required to have their own handgun for training, they have to buy a used gun from someone, or many time have a older family member buy a new gun then "sell" it to them, which is technically illegal. The process is legal, the intent to transfer coming before the first purchase makes it illegal.

You're telling us you have police officers there who don't use their handguns to commit crimes?

tmesis wrote:

AvatarIII wrote:there is never an i before the u in Platinum, even in British English

[url=https://www.azom.com/article.aspx?ArticleID=1530]History of Discovery

1807

The English chemist Sir Humphrey Davy underlined the existence of the element arguing that "alum" was the salt of an unknown metal which he said should be called ‘alumium’. The name was respelt as the more pleasant sounding ‘aluminium’ by later scientists. Davy tried unsuccessfully to produce aluminium by electrolysing a fused mixture of aluminium oxide and potash.

1825

Following Davy’s work the Danish physicist H.C. Oersted managed to produce the first nodules of aluminium by heating potassium amalgam with aluminium.

1845

Friedrich Wöhler in Germany established many of the metal’s properties, including the remarkable lightness. It was the discovery of this property that truly excited researchers and paved the way for more generous development funding.

1854

The Frenchman Henri Sainte-Claire Deville developed a reduction process using sodium which, with further refinement by others, allowed the production of high cost metal in limited quantities and his process was copied throughout Europe. Scientists were now in the position to produce kilograms rather than mere grams - an important step towards the industrial use of aluminium.

You going to tell us you guys invented horse-riding and distinct left and right shoes, too?

TV4Fun wrote:Sigh at this whole thread. The reason you are required to type your password twice is that it is obscured and so you can't tell if you mistyped it. Requiring you to type an email address, which is generally not obscured and you can see if you mistype, is just idiotic. I have seen websites with registration forms that make you type your email address twice and only make you type your (obscured) new password once. It is insanity.

If you type your password incorrectly, you can use your email address to reset your account. If you type your email address incorrectly, then, unless you also have a separate username that can be used to login with, you're out of luck.

And insanity is relying on people to do the sensible thing rather than the convenient thing.

TV4Fun wrote:Sigh at this whole thread. The reason you are required to type your password twice is that it is obscured and so you can't tell if you mistyped it. Requiring you to type an email address, which is generally not obscured and you can see if you mistype, is just idiotic. I have seen websites with registration forms that make you type your email address twice and only make you type your (obscured) new password once. It is insanity.

If you type your password incorrectly, you can use your email address to reset your account. If you type your email address incorrectly, then, unless you also have a separate username that can be used to login with, you're out of luck.

And insanity is relying on people to do the sensible thing rather than the convenient thing.

TV4Fun wrote:Sigh at this whole thread. The reason you are required to type your password twice is that it is obscured and so you can't tell if you mistyped it. Requiring you to type an email address, which is generally not obscured and you can see if you mistype, is just idiotic. I have seen websites with registration forms that make you type your email address twice and only make you type your (obscured) new password once. It is insanity.

If you type your password incorrectly, you can use your email address to reset your account. If you type your email address incorrectly, then, unless you also have a separate username that can be used to login with, you're out of luck.

And insanity is relying on people to do the sensible thing rather than the convenient thing.

Using email addresses as username is Evil.

Telling people to log in with their email addresses but actually requiring them to use their usernames doesn't help much either.

TV4Fun wrote:Sigh at this whole thread. The reason you are required to type your password twice is that it is obscured and so you can't tell if you mistyped it. Requiring you to type an email address, which is generally not obscured and you can see if you mistype, is just idiotic. I have seen websites with registration forms that make you type your email address twice and only make you type your (obscured) new password once. It is insanity.

If you type your password incorrectly, you can use your email address to reset your account. If you type your email address incorrectly, then, unless you also have a separate username that can be used to login with, you're out of luck.

And insanity is relying on people to do the sensible thing rather than the convenient thing.

Using email addresses as username is Evil.

If it helps, think of it as one less thing for the user to remember - rather than having username, password and recovery email address in case you forget either of the first two, just have email and password. A username is only really useful for interacting with other people through the site, so sites that don't have that aspect (eg online shops) can do without the redundant GUID.

speising wrote:the problem is that you are forced to have the same, predictable username on many different sites (unless you go to some trouble aquiring many email addresses).

And why is that a problem when it's not public-facing? You're not giving the website any information they aren't getting already (and you can always make up an email address if you don't want the site knowing a real one for you) and they're not sharing it with others.

If the site does let you share attributed information with other users of the site, then you should have a display name, which may or may not be used as a username to log in with.

speising wrote:the problem is that you are forced to have the same, predictable username on many different sites (unless you go to some trouble aquiring many email addresses).

And why is that a problem when it's not public-facing? You're not giving the website any information they aren't getting already (and you can always make up an email address if you don't want the site knowing a real one for you) and they're not sharing it with others.

If the site does let you share attributed information with other users of the site, then you should have a display name, which may or may not be used as a username to log in with.

speising wrote:the problem is that you are forced to have the same, predictable username on many different sites (unless you go to some trouble aquiring many email addresses).

And why is that a problem when it's not public-facing? You're not giving the website any information they aren't getting already (and you can always make up an email address if you don't want the site knowing a real one for you) and they're not sharing it with others.

If the site does let you share attributed information with other users of the site, then you should have a display name, which may or may not be used as a username to log in with.

because sites get hacked.

also, maybe i want to create a second account.

If the site gets hacked, the hackers can get your recovery email anyway. And creating a second account will usually require a second email address so account recovery can be done even if you forget your username.

It occurred to me recently that you should really only need your email, no username of password, and your email could have served as single sign-in all this time without requiring any kind of central authority.

You go to a site. You punch in your email address. The site send an auto-generated-just-this-moment large password string to to that email address. If your email client is smart and with the program, it recognizes from the formatting that this is a special kind of password email, and passes that password string back to the browser, which then logs you in using it. If your email client is not smart, you click a link in the email that does the same thing. (if your email client is really not smart, you copy and paste the string).

If you are not the owner of the email address you entered, then the owner of that email address gets the password email instead, and knows someone is trying to log into their account somewhere, and you the person trying to use their email address to log into something get nothing.

Of course this makes keeping your email secure even more important, but already if you're in someone's email account you can completely fuck them so seriously if your email is not secure already make it secure now.

Pfhorrest wrote:If your email client is smart and with the program, it recognizes from the formatting that this is a special kind of password email, and passes that password string back to the browser, which then logs you in using it.

So, if you have a smart email account, and I know your address, I can log in as you by entering your email address and letting your email client do the rest.

Sweet.

Never trust a phone that's smarter than you are.

Jose

Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

Pfhorrest wrote:If your email client is smart and with the program, it recognizes from the formatting that this is a special kind of password email, and passes that password string back to the browser, which then logs you in using it.

So, if you have a smart email account, and I know your address, I can log in as you by entering your email address and letting your email client do the rest.

Sweet.

Never trust a phone that's smarter than you are.

Jose

No, you can log me in, on my device that's logged into my email. (Along with smart mail clients, browsers should also be smart enough to say "uh I didn't ask for this" and alert you to that fact).

Your browser, on your device, is still waiting for either your mail client to pass along my credentials, or you to click a link from a message in my inbox, or you to copy and paste the password from said message. If you're not logged into my email, then none of that is going to happen and you'll be waiting a long time.

If you are logged into my email, then I'm already screwed with things how they are now.

Oh, that's what you mean by "with the program". OR do you mean that it's a webmail client, so using the same browser? Seamonkey has a browser and regular (SMTP/POP) email client bundled together, but Thunderbird and Firefox are not linked that way, and one can easily browse with Firefox while not even running Thunderbird.

Jose

Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

I meant "with the program" in the colloquial sense of "participating". I don't have any specific technical relation between mail client and browser in mind, but the important part is just that they're on the same machine. If I'm in Russia on my laptop with its browser and I log into the xkcd forums with your email address and you on your phone in America get the password-email in your mail client, that doesn't do me any good.

At most, your browser on your phone in America suddenly opens to the xkcd forum. Or a login cookie is just silently set for you maybe. Ideally, your browser would say to you that it didn't request a login and alert you that something weird is happening. In any case, something happens on your machine to log you in over there, and my browser on my machine is sitting here waiting for a password to proceed.

Unless my laptop over here in Russia is also logged into your email account, just like your phone is, but if that's the case you're already screwed now.

Pfhorrest wrote:At most, your browser on your phone in America suddenly opens to the xkcd forum. Or a login cookie is just silently set for you maybe.

Both of those are Bad.

But suppose you are in Russia and want to log into your xkcd account. You open Firefox on your laptop and submit your own email address. Either

a: an email gets sent to you which you then have to retrieve by opening up Thunderbird and logging into your email account normally, find the email that xkcd sent you, open it to click the link, get distracted by all the other emails waiting for you.... oh yeah, xkcd. Click the link which lets xkcd lets you in (assuming you let scripts and such run...).

or b: the xkcd page in Firefox forces open your Thunderbird email client, tells it to search for that email, and click the link for you, which opens your default browser (Firefox? Opera? Internet Exploder?) and sets the appropriate persimmons. Nah, nothing can go wrong here. No way that can be exploited.

Or c: Something else? A service worker that is its own email client?

Computers are already too uppity. Don't give them too many ideas!

Jose

Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

(Aside from ninjaings written while I was forced to power-off until I could recharge enough…)

How does an email setup that will auto-open the asked-for link (sent to it by email to satisfy the browser credential scheme) do this effortlessly and yet not effortlessly succumb to a suitably-crafted exploit someone else passes you (in the guise of such a return-of-authentication message)?

Not to mention the MITM opportunities, or additional tomfoolery possible by an existing MITMer switching out and in the necessary authorisations.

Certainly it would be possibly to trick the mail client into auto-opening another link besides the authentication link, sure.

If following a link is enough to compromise your system, though, you already have much bigger problems.

And Jose: yeah, A would be slightly obnoxious, if you don't already always have your email open. Some sites (like Tumblr, I think? Some major one I don't really use, probably that) already function this way, which is what inspired the idea. B wouldn't happen the way you describe in my implementation: the site would just sent an email. The browser wouldn't do anything but sit at the site page waiting for some kind of input. The email client, if it's on board with this scheme, would upon receipt of such an email send such an input to the browser; otherwise, fall back to A. So if your email client is already open, then you just get logged in. If it's not, you have to open your mail client to complete the login. But that's no worse than existing single-signin systems, where you "Log in with Facebook" or whatever, and if you're already logged into Facebook it just works immediately, but if not, then you have to log into your Facebook account for it to finish.